Info on CONFICKER - how to tell if you are infected

[Bill]

I thought this was worthwhile enough to pass along...

I keep my machine on autoupdate everything nowadays - I seem to be okay.

The autorun hole that conficker exploits was patched last october, as I understand it.

http://download.nai.com/products/mca...icker_worm.pdf

Finding W32/Conficker.worm

W32/Conficker.worm can often be quickly found by running the following command
from a cmd prompt in the System32 folder/directory:
Dir /ah
Due to the unusual file permissions it sets for itself, it is often easy to identify the worm
using this technique.
Using regedit.exe, navigate to the
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services key and look for
service entries with no subfolder. Because W32/Conficker.worm sets restrictive
permissions on subkeys, the malicious service entry will not have a subkey listed.
Another, longer method is to interrogate the netsvcs entry.
In the Registry Editor, locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\SvcHost
In the details pane, right-click the netsvcs entry, and then click Modify.
Scroll down to the bottom of the list. If the computer is infected with Conficker.b, a
random service name will be listed. For example, in this procedure, we will assume the
name of the malware service is

axsdgfdb. Note the name of the malware service. You
will need this information later in this procedure.
Delete the line that contains the reference to the malware service. Make sure that you
leave a blank line feed under the last legitimate entry that is listed, and then click OK.
Note: All the entries in the following list are valid. Do not delete any of these entries. The
entry that must be deleted will be a randomly generated name that is the last entry in the
list.
1. 6to4

2.

AppMgmt

3.

AudioSrv

4.

Browser

5.

CryptSvc

6.

DMServer

7.

DHCP

8.

…

9.

…

10.

WmdmPmSN

11.

axsdgfdb

The list above was shortened between the two ellipses (…) entries to save space. The list
may contain more than 11 entries.
In a previous procedure, you noted the name of the malware service. In our example, the
name of the malware entry is

axsdgfdb. Using this information, follow these steps:
In the Registry Editor, locate and then click the following registry subkey, where
“BadServiceName” is the name of the malware service:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BadServiceName
For example, locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ axsdgfdb

Right-click the subkey in the navigation pane for the malware service name, and then
click Permissions.
In the Permissions Entry for the SvcHost dialog box, click Advanced.
In the Advanced Security Settings dialog box, click to select both of the following check
boxes:
Inherit from parent the permission entries that apply to child objects. Include
these with entries explicitly defined here.
Replace permission entries on all child objects with entries shown here that apply
to child objects.
Press F5 to update the Registry Editor. In the details pane, you can now see and edit the
W32/Conficker.worm DLL that loads as ServiceDll. To do this, follow these steps:
Double-click the ServiceDll entry.
Note the path of the referenced DLL. You will need this information later in this
procedure. For example, the path of the referenced DLL may resemble the following:

%SystemRoot%\System32\mxlsaswq.dll

Rename the reference to resemble the following:

%SystemRoot%\System32\ mxlsaswq.old

Click OK.
Remove the malware service entry from the Run subkey in the registry.
In the Registry Editor, locate and then click the following registry subkeys:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
In both subkeys, locate any entry that begins with rundll32.exe and also references the
malware DLL that loads as ServiceDll, which you identified in the steps above.
Delete the entries.
Exit the Registry Editor, and then restart the computer.
If you see repeated memory detections upon running an On Demand Scan and rebooting
several times does not clear the detection, then you may have a new variant.
Run an On Demand Scan with the latest beta DAT files. We add new
W32/Conficker.worm variants daily.
The latest-generation W32/Conficker.worm uses an autorun.inf file and c:\recycled folder
to reinfect already compromised hosts.
The autorun.inf file appears to be a garbage binary file, but it still works. It is typically
dropped into the recycle folder. Note the similarity in command to that of the Scheduled
Tasks.
Garbage…
shelLExECUte RuNdLl32.EXE .\RECYCLER\S-5-3-42-2819952290-8240758988-
879315005-3665\jwgkvsq.vmx,ahaezedrn

Garbage…

[raymor]

For those who are tired of monthly infections and scares of serious exploits
run rampant, I'd like to offer our assistance, at no charge, in upgrading to
a secure system, Linux. We've been using Linux exclusively for several
years and would be happy to help anyone who needs it.

[Cleo]

No worms here

[bDok]

but if you need to... free removal tool

[cd34]

Actually, I saw a news report yesterday that said the easiest way to detect whether you were infected was to go to microsoft.com -- if you couldn't reach that, you needed to run windows update to download the latest patches. Of course, if you can't reach microsoft, you cannot reach the windows update site.

If you are infected, you will not be able to download that kit from Symantec either. Symantec and Cert are putting together other URLs that will be able to be accessed. If you kept up to date with the Microsoft service packs, the bug that allowed conficker to be installed was patched in October.

[Torn Rose]

Quote:

Originally Posted by cd34

Actually, I saw a news report yesterday that said the easiest way to detect whether you were infected was to go to microsoft.com -- if you couldn't reach that, you needed to run windows update to download the latest patches. Of course, if you can't reach microsoft, you cannot reach the windows update site.

If you are infected, you will not be able to download that kit from Symantec either. Symantec and Cert are putting together other URLs that will be able to be accessed. If you kept up to date with the Microsoft service packs, the bug that allowed conficker to be installed was patched in October.

Yeah I just read that as well and was going to post it, but as usual I am too late.

The story I read said if you tried to go to MS or some anti virus site and can't get to the site, you need to have someone else who is not infected to download the fix for you.

Fuck MS...

[nate]

Quote:

Originally Posted by raymor

I'd like to offer our assistance, at no charge, in upgrading to
a secure system, Linux.

I love linux (I have it on two computers) but the thought of designing websites on it without frontpage, fireworks photoshop and a hundred other apps I use daily sounds unpleasant. Also, no autocad :-(

And as of fedora 9 I couldn't get all three monitors to work, and two isnt enough, and one is out of the question.

However, for normal computer users, I think linux would be a much better system than windows... as long as the user cant get root.

That reminds me, yum update...
44 packages to update... including the kernel. There goes my uptime.

http://www.greenguysboard.com/board/...milies/cry.gif

[cd34]

http://www.confickerworkinggroup.org...feyechart.html - if you can see all of the images, your machine doesn't have Conficker.

Still no real thoughts as to what it is going to do. Wednesday it started to download payloads from a site and disables a portion of the older early version code. It is estimated that about 18 million machines worldwide are affected. If you kept up with your windows updates, you should be safe.

[raymor]

Quote:

Originally Posted by nate

I love linux (I have it on two computers) but the thought of designing websites on it without frontpage, fireworks photoshop and a hundred other apps I use daily sounds unpleasant. Also, no autocad :-(

I looked at the first few pieces of software you mentioned and it looks like
you could do those things in Linux. Photoshop, AutoCAD and Fireworks
are reported to run under Wine. Of course there's no need to use
Photoshop - several major film studios use Gimp, which is very very
similar to Photoshop. Similarly, there are a few decent CAD programs
on Linux, each with a different focus depending on what you use it for.
AutoCAD is of course the industry standard, so you might choose to
use AutoCAD through Wine, but one of the other CAD programs might
actually fit your needs better.

As far as FrontPage, I once flew out to set up a system for a webmaster.
Walking in to his office, I saw an unopened copy of FrontPage on his desk.
Without saying a word, I picked it up, walked over to the Window, threw FP
out the window, then sat down and started talking about the cam system
we were working on. Could you use FP on Linux - I don't know, all I can
say about a professional webmaster using FrontPage for a professional
site at all is .

[cd34]

Quote:

Originally Posted by nate

I love linux (I have it on two computers) but the thought of designing websites on it without frontpage, fireworks photoshop and a hundred other apps I use daily sounds unpleasant. Also, no autocad :-(

http://www.osalt.com/ is a pretty decent reference to find replacements as well. As for a replacement to frontpage, there's NVU, Quanta and Aptana. They are all similar and are not too difficult to use.

Quote:

Originally Posted by raymor

Of course there's no need to use
Photoshop - several major film studios use Gimp, which is very very
similar to Photoshop.

There is http://www.gimpshop.com/ which makes gimp look and act like photoshop. If you do anything with print-media, Gimp isn't for you. Gimp also has binaries to allow it to be run on Windows if you want to try it without taking the plunge.

Not that it is a great alternative, but, http://www.winehq.com/ does show a number of applications and their compatibility running using Wine. I was never 100% satisfied with Wine with certain applications. Even Gold Star applications had occasional hitches. If you pick the right machine, you can run Xen or KVM to run a virtualized OS underneath linux to run your application if you can't find a replacement. Some applications can be run in 'coherence' mode which means that it just opens up the app window rather than showing you a miniaturized desktop.

Linux will definitely be difficult for a power user to convert to. It would be great for someone that surfs the web, does email, uses openoffice.org, etc. Once you get beyond general productivity applications, it'll be more difficult.

[Cleo]

There is always the Mac alternative...

[nate]

Photoshop is only one of the apps I'd miss. I couldnt work without lucas rename, SR, fireworks, illustrator, thumbs plus, AcDSeee frontpage, textpad, excel, colorschemer and VDub. Not to mention I'd be pissed if I didnt have foobar2k. Autocad comes in handy when Im working on the house, 3d studio and Rhino are the only 3d apps I can stomach.

I use a lot of GPL stuff, and will use the open source version over the commercial one if it is up to par - open office and firefox are good examplles. Apache, php, mysql etc. Good shit.

[nate]

Quote:

Originally Posted by Cleo

There is always the Mac alternative...

Do they still make macs?

[nate]

Quote:

Could you use FP on Linux - I don't know, all I can
say about a professional webmaster using FrontPage for a professional
site at all is

Nothing is better than Front Page for working with tables. Nothing even comes close. Yeah, front page does goofy shit but if you use it to build html and finish that html in textpad it kicks ass. And I'm not unsure that MSN doesnt give preferences to pages with "frontpage" in the metas. If its all you use, and doubly if you use the extensions and assorted garbage that goes with a fronpage site, thats pretty lame, but as a tool it has strengths nothing else can touch.

Go ahead and laugh. Before you finish your 10 seconds of chucking I'll have a 10x10 table built and modified with merged cells, padding and alignment to suit my needs.

On the other hand, Most sites I see today are nothing but sliced up photoshop images. Pretty, but not my thing. To each his own I suppose.

[Simon]

Quote:

Do they still make macs?

You know it's the 21st Century right?

Quote:

Nothing is better than Front Page for working with tables.

Tables? Same question as above.

Btw - just jerking your chain.

[Preacher]

I dealt with an infected Vista machine this week. I think I was able to disable the virus, but it left some kind of obfuscation crap that we can't remove and the machine is acting quirky...
We've decided to backup the data and and restore back to the factory image after making sure the corruption didn't move to the back-up drive.

[Useless]

Quote:

Originally Posted by nate

Go ahead and laugh. Before you finish your 10 seconds of chucking I'll have a 10x10 table built and modified with merged cells, padding and alignment to suit my needs.

People still use tables?

[nate]

Quote:

Originally Posted by Useless Warrior

People still use tables?

I use tables constantly. I fucking hate CSS.

Quote:

You know it's the 21st Century right?

Yeah. Macs are 20th century. 1990 to be more specific. LOL at snail commercials.

I watched a college professor crash a mac 6 times in one hour showing us how to use some 3d app (like stratus or something) in college. I felt bad for him.

[whitey]

Quote:

Originally Posted by nate

Nothing is better than Front Page for working with tables. Nothing even comes close. Yeah, front page does goofy shit but if you use it to build html and finish that html in textpad it kicks ass. And I'm not unsure that MSN doesnt give preferences to pages with "frontpage" in the metas. If its all you use, and doubly if you use the extensions and assorted garbage that goes with a fronpage site, thats pretty lame, but as a tool it has strengths nothing else can touch.

Go ahead and laugh. Before you finish your 10 seconds of chucking I'll have a 10x10 table built and modified with merged cells, padding and alignment to suit my needs.

On the other hand, Most sites I see today are nothing but sliced up photoshop images. Pretty, but not my thing. To each his own I suppose.

Tables in Dreamweaver are a snap.

And, yes, tables work better for some things than css. I hate the serial loading in poorly framed css tables and think most Surfers do too. As you still use tables, and have great tech knowledge, you likely think the same thing.

[nate]

Quote:

Originally Posted by whitey

Tables in Dreamweaver are a snap.

And, yes, tables work better for some things than css. I hate the serial loading in poorly framed css tables and think most Surfers do too. As you still use tables, and have great tech knowledge, you likely think the same thing.

Its not bad, but not quite as easy Front Page, at least for initially creating the table.

Even so, getting back to the original point, dreamweaver requires windows or one of those apple things. It isnt for linux.

And no I don't want to use an emulator even if it claims it isnt an emulator.

[whitey]

Quote:

Originally Posted by nate

Its not bad, but not quite as easy Front Page, at least for initially creating the table.

Even so, getting back to the original point, dreamweaver requires windows or one of those apple things. It isnt for linux.

And no I don't want to use an emulator even if it claims it isnt an emulator.

Since you use unix, have you tried the W3C released app, Amaya? I just downloaded it for windows, but it was built to run on unix pc's.

[nate]

Quote:

Originally Posted by whitey

Since you use unix, have you tried the W3C released app, Amaya? I just downloaded it for windows, but it was built to run on unix pc's.

I'm gonna try it. Philosophically, I prefer open source software, although I do understand that all of my philosophy and $4.50 will get me a breve latte.

[digifan]

Quote:

Originally Posted by Cleo

No worms here